Runtime Env API
Runtime env variables are encrypted environment values inherited by MIOSA
runtime surfaces. They can be scoped to a tenant, workspace, or project and
targeted to all, sandbox, computer, or agent.
Base path: /api/v1/runtime-env
Endpoints
| Method | Path | Description |
|---|---|---|
GET | /api/v1/runtime-env | List runtime env vars |
POST | /api/v1/runtime-env | Create or upsert a runtime env var |
GET | /api/v1/runtime-env/{id} | Fetch metadata for one runtime env var |
PATCH | /api/v1/runtime-env/{id} | Update a runtime env var |
PUT | /api/v1/runtime-env/{id} | Update a runtime env var |
DELETE | /api/v1/runtime-env/{id} | Delete a runtime env var |
List
GET /api/v1/runtime-env?scope=workspace&workspace_id=ws_123&target=sandbox
Authorization: Bearer msk_live_...Query parameters:
| Parameter | Type | Description |
|---|---|---|
scope | string | tenant, workspace, or project |
workspace_id | string | Required when filtering workspace scope |
project_id | string | Required when filtering project scope |
target | string | all, sandbox, computer, or agent |
Response:
{
"data": [
{
"id": "env_123",
"tenant_id": "tenant_123",
"workspace_id": "ws_123",
"project_id": null,
"scope": "workspace",
"target": "sandbox",
"name": "ANTHROPIC_API_KEY",
"preview": "sk-ant...abcd",
"enabled": true,
"metadata": { "provider": "anthropic" },
"created_at": "2026-06-15T15:16:00Z",
"updated_at": "2026-06-15T15:16:00Z"
}
]
}Create or upsert
POST /api/v1/runtime-env
Authorization: Bearer msk_live_...
Content-Type: application/json{
"scope": "workspace",
"workspace_id": "ws_123",
"target": "sandbox",
"name": "ANTHROPIC_API_KEY",
"value": "sk-ant-...",
"metadata": {
"provider": "anthropic"
}
}Request fields:
| Field | Type | Required | Description |
|---|---|---|---|
scope | string | yes | tenant, workspace, or project |
workspace_id | string | conditional | Required for workspace scope |
project_id | string | conditional | Required for project scope |
target | string | no | all, sandbox, computer, or agent; defaults to all |
name | string | yes | Uppercase environment variable name |
value | string | yes | Plaintext value to encrypt |
enabled | boolean | no | Whether this value should be materialized |
metadata | object | no | Provider, owner, rollout, or product metadata |
Unique identity:
| Scope | Unique by |
|---|---|
tenant | tenant_id, name, target |
workspace | tenant_id, workspace_id, name, target |
project | tenant_id, project_id, name, target |
Update
PATCH /api/v1/runtime-env/env_123
Authorization: Bearer msk_live_...
Content-Type: application/json{
"value": "sk-ant-new",
"enabled": true
}Delete
DELETE /api/v1/runtime-env/env_123
Authorization: Bearer msk_live_...Response:
{
"ok": true,
"id": "env_123"
}Materialization behavior
Runtime env is materialized when MIOSA prepares command or agent environment for sandboxes, computers, and prompt-driven agent runs. The current merge order is:
- tenant
all - tenant target-specific
- workspace
all - workspace target-specific
- project
all - project target-specific
- per-resource env
- per-run env
More specific values override earlier values with the same variable name.